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Abstract 

In a recent provocative paper, Lamport points out "the insubstantiality of processes" by proving 
the equivalence of two different decompositions of the same intuitive algorithm by means of temporal 
formulas. We point out that the correct equivalence of algorithms is itself in the eye of the beholder. 
We discuss a number of related issues and, in particular, whether algorithms can be proved equivalent 
directly. 

1 Introduction 

This is a reaction to Leslie Lamport's "Processes are in the Eye of the Beholder" p3| . Lamport writes: 

A concurrent algorithm is traditionally represented as the composition of processes. We show 
by an example that processes are an artifact of how an algorithm is represented. The difference 
between a two-process representation and a four-process representation of the same algorithm is 
no more fundamental than the difference between 2 + 2 and 1 + 1 + 1 + 1 . 

To demonstrate his thesis, Lamport uses two different programs for a first-in, first-out ring buffer of size 
N. He represents the two algorithms by temporal formulas and proves the equivalence of the two temporal 
formulas. 

We analyze in what sense the two algorithms are and are not equivalent. There is no one notion of 
equivalence appropriate for all purposes and thus the "insubstantiality of processes" may itself be in the eye 
of the beholder. There are other issues where we disagree with Lamport. In particular, we give a direct 
equivalence proof for two programs without representing them by means of temporal formulas. 

This paper is self-contained. In the remainder of this section, we explain the two ring buffer algorithms 
and discuss our disagreements with Lamport. In Section ||, we give a brief introduction to evolving algebras. 
In Section ||, we present our formalizations of the ring buffer algorithms as evolving algebras. In Section^, we 
define a version of lock-step equivalence and prove that our formalizations of these algorithms are equivalent 
in that sense. Finally, we discuss the inequivalence of these algorithms in Section fj. 



1.1 Ring Buffer Algorithms 

The ring buffer in question is implemented by means of an array of N elements. The ith input (starting with 
i = 0) is stored in slot i mod N until it is sent out as the ith output. Items may be placed in the buffer if and 
only if the buffer is not full; of course, items may be sent from the buffer if and only if the buffer is not empty. 
Input number i cannot occur until (1) all previous inputs have occurred and (2) either i < N or else output 
number i — N has occurred. Output number i cannot occur until (1) all previous outputs have occurred and 
(2) input number i has occurred. These dependencies are illustrated pictorially in Figure [I], where circles 
represent the actions to be taken and arrows represent dependency relationships between actions. 
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Figure 1: Moves of the ring-buffer algorithm. 



Lamport writes the two programs in a semi-formal language reminiscent of CSP |9| which we call Pseudo- 
CSP. The first program, which we denote by 7£ pcsp , is shown in Figure |[ It operates the buffer using two 
processes; one handles input into the buffer and the other handles output from the buffer. It gives rise to a 
row-wise decomposition of the graph of moves, as shown in Figure |[ The second program, which we denote 
by Cp CS p, is shown in Figure ^[ It uses N processes, each managing input and output for one particular slot 
in the buffer. It gives rise to a column-wise decomposition of the graph of moves, as shown in Figure |^. 



in, out : channel of Value 


buf : array . . 


N - 1 of Value 


p, g : internal Natural initially 


Receiver:: * 
II 


p — g =/= N — > in ? buf [p mod N] ; 

p := p + 1 




Sender:: * 


p — g =/= — > out ! buf [g mod N] ; 

g ■= 9 + 1 





Figure 2: A two-process ring buffer 7?. pcsp , in Pseudo-CSP. 

In Pseudo-CSP, the semicolon represents sequential composition, || represents parallel composition, and * 
represents iteration. The general meanings of ? and ! are more complicated; they indicate synchronization. 
In the context of 7?. pcsp and C pcsp , "in ?" is essentially a command to place the current input into the given 
slot, and "out !" is essentially a command to send out the datum in the given slot as an output. In Section [|, 
we will give a more complete explanation of the two programs in terms of evolving algebras. 

After presenting the two algorithms in Pseudo-CSP, Lamport describes them by means of formulas in 
TLA, the Temporal Logic of Actions [Q, and proves the equivalence of the two formulas in TLA. He does 
not prove that the TLA formulas are equivalent to the corresponding Pseudo-CSP programs. The Pseudo- 
CSP presentations are there only to guide the reader's intuition. As we have mentioned, Pseudo-CSP is only 
semi-formal; neither the syntax nor the semantics of it is given precisely. 

However, Lamport provides a hint as to why the two programs themselves are equivalent. There is a close 
correspondence of values between p and pp, and between g and gg. Figure]^, taken from [|l3|, illustrates the 
correspondence between p and pp for N = 4. The nth row describes the values of variables p and pp after 
n inputs. The predicate IsNext(pp,i) is intended to be true only for one array position i at any state (the 
position that is going to be active); the box indicates that position. 
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Figure 3: Moves of TZ } 



in, out : channel of Value 
buf : array ... N — 1 of Value 

pp,gg : internal array 0. . . N — 1 of {0, 1} initially 

Buffer(i -.0...N-1) :: 

empty: IsNext(pp,i) — > m?6u/[i]; 

pp[i] := (pp[z] + 1) mod 2; 
IsNext(gg,i) — > oiii!&«/[i]; 

== + 1) mod 2; 

IsNext{r,i) = if i = then r[0] = r[A - 1] 

else r[i] ^ r[i — 1] 



Figure 4: An AT process ring buffer C pcS p, in Pseudo-CSP. 
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Figure 5: Moves of C] 
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Figure 6: The correspondence between values of pp and p, for N = 4. 
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1.2 Discussion 



There are three issues where we disagree with Lamport. 

Issue 1: The Notion of Equivalence. What does it mean that two programs are equivalent? In our 
opinion, the answer to the question depends on the desired abstraction There are many reasonable 
definitions of equivalence. Here are some examples. 

1. The two programs produce the same output on the same input. 

2. The two programs produce the same output on the same input, and the two programs are of the same 
time complexity (with respect to your favorite definition of time complexity) . 

3. Given the same input, the two programs produce the same output and take precisely the same amount 
of time. 

4. No observer of the execution of the two programs can detect any difference. 

The reader will be able to suggest numerous other reasonable definitions for equivalence. For example, one 
could substitute space for time in conditions (|2|) and (J3j) above. The nature of an "observer" in condition 
admits different plausible interpretations, depending upon what aspects of the execution the observer is 
allowed to observe. 

Let us stress that we do not promote any particular notion of equivalence or any particular class of such 
notions. We only note that there are different reasonable notions of equivalence and there is no one notion of 
equivalence that is best for all purposes. The two ring-buffer programs are indeed "strongly equivalent"; in 
particular, they are equivalent in the sense of definition (^) above. However, they are not equivalent in the 
sense of definition (|J) for certain observers, or in the sense of some space-complexity versions of definitions 
(|J) and (||). See Section || in this connection. 

Issue 2: Representing Programs as Formulas. Again, we quote Lamport Jll|: 

We will not attempt to give a rigorous meaning to the program text. Programming languages 
evolved as a method of describing algorithms to compilers, not as a method for reasoning about 
them. We do not know how to write a completely formal proof that two programming language 
representations of the ring buffer are eguivalent. In Section 2, we represent the program formally 
in TLA, the Temporal Logic of Actions fiL!\j. 

We believe that it is not only possible but also beneficial to give a rigorous meaning to one's programming 
language and to prove the desired equivalence of programs directly. The evolving algebra method has been 
used to give rigorous meaning to various programming languages [Q, ^| . In a similar way, one may try to give 
formal semantics to Pseudo-CSP (which is used in fact for describing algorithms to humans, not compilers). 
Taking into account the modesty of our goals in this paper, we do not do that and represent 7^. pcS p and C pcsp 
directly as evolving algebra programs TZ CSI and C oa and then work with the two evolving algebras. 

One may argue that our translation is not perfectly faithful. Of course, no translation from a semi-formal 
to a formal language can be proved to be faithful. We believe that our translation is reasonably faithful; we 
certainly did not worry about the complexity of our proofs as we did our translations. Also, we do not think 
that Lamport's TLA description of the Pseudo-CSP is perfectly faithful (see the discussion in subsection 3.2) 
and thus we have two slightly different ideals to which we can be faithful. In fact, we do not think that 
perfect faithfulness is crucially important here. We give two programming language representations lZ ca and 
C oa of the ring buffer reflecting different decompositions of the buffer into processes. Confirming Lamport's 
thesis, we prove that the two programs are equivalent in a very strong sense; our equivalence proof is direct. 
Then we point out that our programs are inequivalent according to some natural definitions of equivalence. 
Moreover, the same inequivalence arguments apply to 7?. pcsp and C pcsp as well. 
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Issue 3: The Formality of Proofs. Continuing, Lamport writes Jl3[ : 

We now give a hierarchically structured proof that H2 and Hjy [the TLA translations of 1Z pcsp 
and C pcsp - GH] are equivalent JH[/. The proof is completely formal, meaning that each step is a 
mathematical formula. English is used only to explain the low-level reasoning. The entire proof 
could be carried down to a level at which each step follows from the simple application of formal 
rules, but such a detailed proof is more suitable for machine checking than human reading. Our 
complete proof, with "Q.E.D." steps and low-level reasoning omitted, appears in Appendix A. 

We prefer to separate the process of explaining a proof to people from the process of computer-aided 
verification of the same proof @. A human-oriented exposition is much easier for humans to read and 
understand than expositions attempting to satisfy both concerns at once. Writing a good human-oriented 
proof is the art of creating the correct images in the mind of the reader. Such a proof is amenable to the 
traditional social process of debugging mathematical proofs. 

Granted, mathematicians make mistakes and computer-aided verification may be desirable, especially in 
safety-critical applications. In this connection we note that a human-oriented proof can be a starting point 
for mechanical verification. Let us stress also that a human-oriented proof need not be less precise than a 
machine-oriented proof; it simply addresses a different audience. 

Revisiting Lamport's Thesis These disagreements do not mean that our position on "the insubstan- 
tiality of processes" is the direct opposite of Lamport's. We simply point out that "the insubstantiality of 
processes" may itself be in the eye of the beholder. The same two programs can be equivalent with respect 
to some reasonable definitions of equivalence and inequivalent with respect to others. 

2 Evolving Algebras 

Evolving algebras were introduced in Q ; a more detailed definition has appeared in Q . Since its introduc- 
tion, this methodology has been used for a wide variety of applications: programming language semantics, 
hardware specification, protocol verification, etc.. It has been used to show equivalences of various kinds, 
including equivalences across a variety of abstraction levels for various real- world systems, e.g. ||. See El [IIJ 
for numerous other examples. 

We recall here only as much of evolving algebra definitions Q as needed in this paper. Evolving algebras 
(often abbreviated ealgebras or EA) have many other capabilities not shown here: for example, creating or 
destroying agents during the evolution. 

Those already familiar with ealgebras may wish to skip this section. 

2.1 States 

States are essentially logicians' structures except that relations are treated as special functions. They are 
also called static algebras and indeed they are algebras in the sense of the science of universal algebra. 

A vocabulary is a finite collection of function names, each of fixed arity. Every vocabulary contains the 
following logic symbols: miliary function names true, false, undef the equality sign, (the names of) the usual 
Boolean operations and (for convenience) a unary function name Bool. Some function symbols are tagged 
as relation symbols (or predicates); for example, Bool and the equality sign are predicates. 

A state S of vocabulary T is a non-empty set X (the basic set or superuniverse of S), together with 
interpretations of all function symbols in T over X (the basic functions of S) . A function symbol / of arity r 
is interpreted as an r-ary operation over X (if r = 0, it is interpreted as an element of X). The interpretations 
of predicates (the basic relations) and the logic symbols satisfy the following obvious requirements. The 
elements (more exactly, the interpretations of) true and false are distinct. These two elements are the only 
possible values of any basic relation and the only arguments where Bool produces true. They are operated 
upon in the usual way by the Boolean operations. The interpretation of undef is distinct from those of true 
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and false. The equality sign is interpreted as the equality relation. We denote the value of a term t in state 
Sbyt s . 

Domains. Let / be a basic function of arity r and x range over r-tuples of elements of S. If / is a basic 
relation then the domain of f at S is {x : f(x) = true}. Otherwise the domain of f at S is {x : f(x) ^ undef}. 

Universes. A basic relation / may be viewed as the set of tuples where it evaluates to true. If / is unary 
it can be viewed as a universe. For example, Bool is a universe consisting of two elements (named) true and 
false. Universes allow us to view states as many-sorted structures. 

Types. Let / be a basic function of arity r and Uq, . . . , U r be universes. We say that / is of type 
Ui X • • • X U r — ► Uo in the given state if the domain of / is U\ x • • • x U r and f(x) £ Uo for every x in the 
domain of /. In particular, a miliary / is of type Uo if (the value of) / belongs to Uo- 

Example. Consider a directed ring of nodes with two tokens; each node may be colored or uncolored. We 
formalize this as a state as follows. The superuniverse contains a non-empty universe Nodes comprising the 
nodes of the ring. Also present is the obligatory two-element universe Bool, disjoint from Nodes. Finally, 
there is an element (interpreting) undef outside of Bool and outside of Nodes. There is nothing else in the 
superuniverse. (Usually we skip the descriptions of Bool and undef). A unary function Next indicates the 
successor to a given node in the ring. Nullary functions Tokenl and Token2 give the positions of the two 
tokens. A unary predicate Colored indicates whether the given node is colored. 

2.2 Updates 

There is a way to view states which is unusual to logicians. View a state as a sort of memory. Define a 
location of a state S to be a pair I = (/, x), where / is a function name in the vocabulary of S and x is a 
tuple of elements of (the superuniverse of) S whose length equals the arity of /. (If / is nullary, t is simply 
/.) In the two-token ring example, let a be any node (that is, any element of the universe Nodes). Then the 
pair (Next, a) is a location. 

An update of a state S is a pair a = (£, y), where £ is a location of S and y is an element of S. To fire a 
at S, put y into the location £; that is, if £ = (f,x), redefine S to interpret f(x) as y; nothing else (including 
the superuniverse) is changed. We say that an update (£, y) of state S is trivial if y is the content of £ in 
S. In the two-token ring example, let a be any node. Then the pair (Tokenl, a) is an update. To fire this 
update, move the first token to the position a. 

Remark to a curious reader. If £ = (Next, a), then {£, a) is also an update. To fire this update, redefine 
the successor of a; the new successor is a itself. This update destroys the ring (unless the ring had only one 
node). To guard from such undesirable changes, the function Next can be declared static (see ||) which will 
make any update of Next illegal. 

An update set over a state S is a set of updates of S. An update set is consistent at S if no two updates 
in the set have the same location but different values. To fire a consistent set at S, fire all its members 
simultaneously; to fire an inconsistent set at S, do nothing. In the two-token ring example, let a, b be two 
nodes. Then the update set {(Tokenl, a), (Tokenl 7 b)} is consistent if and only if a = b. 

2.3 Basic Transition Rules 

We introduce rules for changing states. The semantics for each rule should be obvious. At a given state S 
whose vocabulary includes that of a rule R, R gives rise to an update set US(i?, S); to execute R at S, one 
fires US(i?, S). We say that R is enabled at S if US(i£, S) is consistent and contains a non-trivial update. 
We suppose below that a state of discourse S has a sufficiently rich vocabulary. 
An update instruction R has the form 
f(ti, . . . , t r ) := t 

where / is a function name of arity r and each U is a term. (If r = we write "/ := to" rather than 
"/() := to"-) The update set US(i?, S) contains a single element (£, y), where y is the value (to)s of to a t S 
and £ = (/, (x\, . . . ,x r )) with x\ = (ti)s- In other words, to execute R at S, set /((ii)s, . . . , (t r )s) to (to)s 
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and leave the rest of the state unchanged. In the two-token ring example, "Tokenl := Next(Token2)" is an 
update instruction. To execute it, move token 1 to the successor of (the current position of) token 2. 

A block rule R is a sequence Ri, . . . , R n of transition rules. To execute R at S, execute all the constituent 
rules at S simultaneously. More formally, US(i?, S) — U"=i US(i?», S). (One is supposed to write "block" 
and "endblock" to denote the scope of a block rule; we often omit them for brevity.) In the two-token ring 
example, consider the following block rule: 

Tokenl := Token2 

Token2 := Tokenl 

To execute this rule, exchange the tokens. The new position of Tokenl is the old position of Token2, and 
the new position of Token2 is the old position of Tokenl. 
A conditional rule R has the form 
if g then Rq endif 

where g (the guard) is a term and Ro is a rule. If g holds (that is, has the same value as true) in S then 
US(i?, S) = VS(Rq,S); otherwise US(i?, S) = 0. (A more general form is "if g then R else i?i endif, but 
we do not use it in this paper.) In the two-token ring example, consider the following conditional rule: 

if Tokenl = Token2 then 
Colored (Tokenl) :— true 

endif 

Its meaning is the following: if the two tokens are at the same node, then color that node. 
2.4 Rules with Variables 

Basic rules are sufficient for many purposes, e.g. to give operational semantics for the C programming 
language ||, but in this paper we need two additional rule constructors. The new rules use variables. Formal 
treatment of variables requires some care but the semantics of the new rules is quite obvious, especially 
because we do not need to nest constructors with variables here. Thus we skip the formalities and refer the 
reader to (g) . As above S is a state of sufficiently rich vocabulary. 

A parallel synchronous rule (or declaration rule, as in Q) R has the form: 
var x ranges over U 

R{x) 
endvar 

where a; is a variable name, U is a universe name, and R(x) can be viewed as a rule template with free 
variable x. To execute R at S, execute simultaneously all rules R(u) where u ranges over U . In the two- 
token ring example, (the execution of) the following rule colors all nodes except for the nodes occupied by 

the tokens. 

var x ranges over Nodes 

if x Tokenl and x ^ Token2 then 

Colored (x) := true 

endif 

endvar 

A choice rule R has the form 
choose x in U 

R{x) 

endchoose 

where x, U and R(x) are as above. It is nondeterministic. To execute the choice rule, choose arbitrarily one 
element u in U and execute the rule R{u). In the two-token ring example, each execution of the following 
rule either colors an unoccupied node or does nothing, 
choose x in Nodes 

if x 7^ Tokenl and x ^ Token2 then 

Colored (x) := true 
endif 
endchoose 
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2.5 Distributed Evolving Algebra Programs 

Let T be a vocabulary that contains the universe Agents, the unary function Mod and the miliary function 
Me. A distributed EA program II of vocabulary T consists of a finite set of modules, each of which is a 
transition rule with function names from T. Each module is assigned a different name; these names arc 
miliary function names from T different from Me. Intuitively, a module is the program to be executed by 
one or more agents. 

A (global) state of II is a structure S of vocabulary T-{Me} where different module names are interpreted 
as different elements of S and the function Mod assigns (the interpretations of) module names to elements 
of Agents; Mod is undefined (that is, produces undef) otherwise. If Mod maps an element a to a module 
name M, we say that a is an agent with program M. 

For each agent a, View a (S) is the reduct of S to the collection of functions mentioned in the module 
Mod(a), expanded by interpreting Me as a. Think about View a (S) as the local state of agent a correspond- 
ing to the global state S. We say that an agent a is enabled at S if Mod(a) is enabled at View a (S); that 
is, if the update set generated by Mod(a) at View Q (5) is consistent and contains a non-trivial update. This 
update set is also an update set over S. To fire a at S, execute that update set. 

2.6 Runs 

In this paper, agents arc not created or destroyed. Taking this into account, we give a slightly simplified 
definition of runs. 

A run p of a distributed calgcbra program II of vocabulary T from the initial state So is a triple (M, A, a) 
satisfying the following conditions. 

1. M, the set of moves of p, is a partially ordered set where every {v : v < p} is finite. 

Intuitively, v < p means that move v completes before move p begins. If M is totally ordered, we say 
that p is a sequential run. 

2. A assigns agents (of So) to moves in such a way that every non-empty set {p : A(p) = a} is linearly 

ordered. 

Intuitively, A{p) is the agent performing move p; every agent acts sequentially. 

3. a maps finite initial segments of M (including 0) to states of II. 

Intuitively, a(X) is the result of performing all moves of X; <r(0) is the initial state So- States <j(X) 
are the states of p. 

4. Coherence. If p is a maximal element of a finite initial segment Y of M, and X = Y — {p}, then A{p) is 

enabled at a(X) and ct(Y) is obtained by firing A(p) at cr(X). 

It may be convenient to associate particular states with single moves. We define A(p) = o{{v : v < p}). 

The definition of runs above allows no interaction between the agents on the one side and the external 
world on the other. In such a case, a distributed evolving algebra is given by a program and the collection 
of initial states. In a more general case, the environment can influence the evolution. Here is a simple way 
to handle interaction with the environment which suffices for this paper. 

Declare some basic functions (more precisely, some function names) external. Intuitively, only the outside 
world can change them. If S is a state of II let S~ be the reduct of S to (the vocabulary of) non-external 
functions. Replace the coherence condition with the following: 

4'. Coherence. If p is a maximal element of a finite initial segment Y of M, and X = Y — {p}, then A(p) is 
enabled in cr(X) and cr(Y)~ is obtained by firing A(p) at <r(X) and forgetting the external functions. 
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In applications, external functions usually satisfy certain constraints. For example, a miliary external 
function Input may produce only integers. To reflect such constraints, we define regular runs in applications. 
A distributed evolving algebra is given by a program, the collection of initial states and the collection of 
regular runs. (Of course, regular runs define the initial states, but it may be convenient to specify the initial 
states separately.) 



3 The Ring Buffer Evolving Algebras 



The evol ving alge bras TZ ca &nd C oa , our "official" representations of lZ pcsp and C pcsp , are given in subsec- 
tions 3J3 and ^4; see Figures ^| and [Io| The reader may proceed ther e dir ectly and ignore the preceding 
subsections where we do the following. We first present in subsection 3T an elaborate ealgebra Rl that 



formalizes lZ pcS p together with its environment; Rl expresses our understanding of how lZ pcS p works, how it 
communicates with the environment and what the environment is supposed to d o. Notice that the environ- 
ment and the synchronization magic of CSP are explicit in Rl. In subsection 3.2, we then transform Rl into 
another ealgebra R2 that performs synchronization implicitly. We transform R2 into 1Z ca by parallelizing 
the rules slightly and making the environment implicit; the result is shown in subsection 3.3. (In a sense, 
Rl, R2, and 7^ ca are all equivalent to another another, but we will not formalize this.) We performed a 
similar analysis and transformation to create C c 
C ea directly in subsection 3.4. 



from Cp CS p ; we omit the intermediate stages and present 



3.1 Rl: The First of the Row Evolving Algebras 

The program for Rl, given in Figure 0, contains six modules. The names of the modules reflect the intended 
meanings. In particular, modules BuffFrontEnd and BuffBackEnd correspond to the two processes Receiver 
and Sender of 7?.p C sp- 

Comment for ealgebraists. In terms of 0, the InputChannel agent is a two-member team comprising 
the InputEnvironment and the BuffFrontEnd agents; functions Sender and Receiver are similar to functions 
Memberi and Member . Similarly the OutputChannel agent is a team. This case is very simple and one can 
get rid of unary functions Sender and Receiver by introducing names for the sending and receiving agents. 

Comment for CSP experts. Synchronization is implicit in CSP. It is a built-in magic of CSP. We have 
doers of synchronization. (In this connection, the reader may want to see the EA treatment of Occam in 
.) Nevertheless, synchronization remains abstract. In a sense the abstraction level is even higher: similar 
agents can synchronize more than two processes. 

Comment. The nondeterministic formalizations of the input and output environments are abstract and 
may be refined in many ways. 



Initial states. In addition to the function names mentioned in the program (and the logic names), the 
vocabulary of Rl contains universe names Data, Integers, Zn, Z2, Modes and a subuniverse Senders- and- 
Receivers of Agents. Initial states of Rl satisfy the following requirements. 

1. The universe Integers and the arithmetical function names mentioned in the program have their usual 
meanings. The universe Zn consists of integers modulo N identified with the integers 0, . . . , N — 1. 
The universe Z2 is similar, p = g = 0. Buffer is of type Zn — > Data; InputDatum and OutputDatum 
take values in Data. 

2. The universe Agents contains six elements to which Mod assigns different module names. We could 
have special miliary functions to name the six agents but we don't; we will call them with respect 
to their programs: the input environment, the output environment, the input channel, the output 
channel, buffer's front end and buffer's back end respectively. Sender(the input channel) = the input 
environment, Receiver(the input channel) = buffer's front end, Sender(the output channel) = buffer's 
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Module InputEnvironmcnt 
if Mode(Me) = Work then 
choose v in Data 

InputDatum := v 
endchoose 
Mode(Me) := Ready 
endif 



Module OutputEnvironment 

if Mode(Me) = Work then Mode(Me) := Ready endif 



Module InputChannel 

if Mode(Sender(Me)) = Ready and Mode (Receiver (Me)) = Ready then 

Buffer(p mod N) := InputDatum 

Mode(Sender(Me)) := Work 

Mode(Receiver(Me)) := Work 
endif 



Module OutputChanncl 

if Mode(Sender(Me)) = Ready and Mode(Receiver(Me)) = Ready then 

OutputDatum := Buffcr(g mod N) 

Mode(Sender(Me)) := Work 

Mode(Receiver(Me)) := Work 
endif 



Module BuffFrontEnd 
Rule Front Wait 

if Mode(Me) = Wait and p-g^N then Mode(Me) := Ready endif 
Rule Front Work 

if Mode(Me) = Work then p := p+l, Mode(Me) := Wait endif 



Module BuffflackEnd 
Rule BackWait 

if Mode(Me) = Wait and p-g^Q then Mode(Me) := Ready endif 
Rule BackWork 

if Mode(Me) = Work then g := g + 1, Modc(Me) := Wait endif 



Figure 7: The program for Rl. 
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back end, and Receiver (the output channel) = the output environment. The universe Senders- and- 
Receivers consists of the two buffer agents and the two environment agents. Nullary functions Ready, 
Wait and Work are distinct elements of the universe Modes. The function Mode is defined only over 
Senders-and-Receivers. For the sake of simplicity of exposition, we assign particular initial values to 
Mode: it assigns Wait to either buffer agent, Work to the input environment agent, and Ready to the 
output environment agent. 

Analysis In the rest of this subsection, we prove that Rl has the intended properties. 

Lemma 1 (Typing Lemma for Rl) In every state of any run of Rl, the dynamic functions have the 
following (intended) types. 

1. Mode: Senders-and-Receivers — > Modes. 

2. InputDatum, OutputDatum: Data. 

3. p, g: Integers. 

4- Buffer: — » Data. 
Proof. By induction over states. □ 

Lemma 2 (The p and g Lemma for Rl) Let p be an arbitrary run of Rl. In every state of p, < 
p — g < N. Furthermore, if p — g = then Mode(buffer's back end) = Wait, and if p — g = N then 
Mode(buffer's front end) — Wait. 

Proof. An obvious induction. See Lemma |?] in this regard. □ 

Lemma 3 (Ordering Lemma for Rl) In any run of Rl, we have the following. 

1. If p is a move of the input channel and is is a move of buffer's front end then either p <v or v < p. 

2. If p is a move of the output channel and v is a move of buffer's back end then either p < v or v < p. 

3. For any buffer slot k, if p is a move of the input channel involving slot k and v is a move of the output 
channel involving slot k then either p < v or v < p. 

Proof. Let p — (M, A, a) be a run of Rl. 

1. Suppose by contradiction that p and v are incomparable and let X — {it : tt < p V tt < v} so that, by 
the coherence requirements on the run, both agents are enabled at <r(X), which is impossible because 
their guards are contradictory. 

Since the input channel is enabled, the mode of buffer's front end is Ready at X. But then buffer's 
front end is disabled at X, which gives the desired contradiction. 

2. Similar to part ([!]). 

3. Suppose by contradiction that p and v are incomparable and let X — {it : n < p V 7r < v} so that 
both agents are enabled at o~(X). Since p involves k, p = k mod N in cr(X). Similarly, g = k mod N 
in o~(X). Hence p — g = mod N in o~(X). By the p and g lemma, either p — g = or p — g = N 
in a(X). In the first case, the mode of buffer's back end is Wait and therefore the output channel is 
disabled. In the second case, the mode of buffer's front end is Wait and therefore the input channel is 
disabled. In either case, we have a contradiction. □ 
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Recall that the state of move fj, is A(/i) = a({v : v < fj,}). By the coherence requirement, the agent A(/x) 
is enabled in A(fi). 

Consider a run of Rl. Let (respectively, z/j) be the ith move of the input channel (respectively, the 
output channel). The value a* of InputDatum in A(/x,) (that, is the datum to be transmitted during fa) 
is the ith input datum, and the sequence ao,a\,. .. is the input data sequence. (It is convenient to start 
counting from rather than 1.) Similarly, the value bj of OutputDatum in A(i/j) is the jth output datum of 
R and the sequence bo, b\, . . . is the output data sequence. 

Lamport writes: 

To make the example more interesting, we assume no liveness properties for sending values on 
the in channel, but we require that every value received in the buffer be eventually sent on the out 
channel. 

With this in mind, we call a run regular if the output sequence is exactly as long as the input sequence. 

Theorem 1 For a regular run, the output sequence is identical with the input sequence. 

Proof. Let fa), fa, . . . be the moves of the input channel and vq, v\, . . . be the moves of the output channel. 
A simple induction shows that fa stores the ith input datum a.j at slot i mod N and p = i at A(fa). Similarly, 
Vj sends out the jth output datum bj from slot j mod N and g — j at A(vj). If fa < v^ < fa+N, then dj = 6j. 
We show that, for all i, fa < Vi < fa+N- 

By the p and g lemma, p — g > in A(vj) for any j, and p — g < N in A(^) for any j. 

1. Suppose Vi < fa. Taking into account the monotonicity of p, we have the following at A(z/j): p < i, 
g = i and therefore p — g < which is impossible. 

2. Suppose fii + N < vi. Taking into account the monotonicity of g, we have the following at A(fi i+ N): 
p = i + N,g<i, and therefore p — g > N which is impossible. 

By the ordering lemma, Vi is order-comparable with both fa and fa+N- It follows that fa < < fa+N- n 
3.2 R2: The Second of the Row Evolving Algebras 

One obvious difference between 7?.p C sp and Rl is the following: Rl explicitly manages the communication 
channels between the buffer and the environment, while lZ pcS p does not. By playing with the modes of 
senders and receivers, the channel modules of Rl provide explicit synchronization between the environment 
and the buffers. This synchronization is implicit in the "?" and "!" operators of CSP. To remedy this, 
we transform Rl into an ealgebra R2 in which communication occurs implicitly. R2 must somehow ensure 
synchronization. There are several options. 

1. Allow BuffFrontEnd (respectively, BuffBackEnd) to modify the mode of the input environment (re- 
spectively, the output environment) to ensure synchronization. 

This approach is feasible but undesirable. It is unfair; the buffer acts as a receiver on the input channel 
and a sender on the output channel but exerts complete control over the actions of both channels. 
Imagine that the output environment represents another buffer, which operates as our buffer does; in 
such a case both agents would try to exert complete control over the common channel. 

2. Assume that BuffFrontEnd (respectively, BuffBackEnd) does not execute until the input environment 
(respectively, the output environment) is ready. 

This semantical approach reflects the synchronization magic of CSP. It is quite feasible. Moreover, it 
is common in the EA literature to make assumptions about the environment when necessary. It is not 
necessary in this case because there are very easy programming solutions (see the next two items) to 
the problem. 
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3. Use an additional bit for either channel which tells us whether the channel is ready for communication 
or not. 

In fact, a state of a channel comprises a datum and an additional bit in the TLA part of Lamport's 
paper. One can avoid dealing with states of the channel by requiring that each sender and receiver 
across a channel maintains its own bit (a well-known trick) which brings us to the following option. 

4. Use a bookkeeping bit for every sender and every receiver. 

It does not really matter, technically speaking, which of the four routes is chosen. To an extent, the 
choice is a matter of taste. We choose the fourth approach. The resulting ealgebra R2 is shown in Figure ||. 

Notice that the sender can place data into a channel only when the synchronization bits match, and the 
receiver can read the data in a channel only when the synchronization bits do not match. 

The initial states of R2 satisfy the first condition on the initial states of Rl. The universe Agents contains 
four elements to which Mod assigns different module names; we will call them with respect to their programs: 
the input environment, the output environment, buffer's front end, and buffer's back end, respectively. 
The universe BufferAgents contains the buffer's front end and buffer's back end agents. Nullary functions 
InSendBit, InReceiveBit, OutSendBit, OutReceiveBit are all equal to 0. Nullary functions Ready, Wait and 
Work are distinct elements of the universe Modes. The function Mode is defined only over BufferAgents; it 
assigns Wait to each buffer agent. InputDatum and OutputDatum take values in Data. Define the input 
and output sequences and regular runs as in Rl. 

Let Ti be the vocabulary of Rl and T2 be the vocabulary of R2. 

Lemma 4 Every run R = (M, A, a) of Rl induces a run p — (M, B, r) of R2 where: 

1. If \i G M and A(p) is not a channel agent, then B(p) = A{p). If A(p) = the input channel, then B(p) 
= buffer's front end. If A(fi) = the output channel, then B(p) — buffer's back end. 

2. Let X be a finite initial segment of M . t(X) is the unique state satisfying the following conditions: 

(a) t(X)\(T 1 n T 2 ) = cr(A)|(Ti n T 2 ) 

(b) InReceiveBit = p mod 2 if the mode of buffer's front end is Wait or Ready, and 1 — p mod 2 
otherwise. 

(c) OutSendBit = g mod 2 if the mode of buffer's back end is Wait or Ready, and 1 — g mod 2 
otherwise. 

(d) InSendBit = InReceiveBit if the mode of the input environment is Work, and 1 — InReceiveBit 
otherwise. 

(e) OutReceiveBit = OutSendBit if the mode of the output environment is Ready, and 1— OutSendBit 
otherwise. 

Proof. We check that p is indeed a run of R2. By the ordering lemma for Rl, the moves of every agent of 
R2 are linearly ordered. It remains to check only the coherence condition; the other conditions are obvious. 
Suppose that Y is a finite initial segment of N with a maximal element pi and X = Y — {/i}. Using the facts 
that A(p) is enabled in <j(X) and <j(Y) is the result of executing A(p) in a(X), it is easy to check that B(p) 
is enabled in t(X) and r(V) is the result of executing B(p) at t(X). □ 

Lemma 5 Conversely, every run of R2 is induced (in the sense of the preceding lemma) by a unique run of 
Rl. 

The proof is easy and we skip it. 
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Module InputEnvironment 

if InScndBit = InRcccivcBit Then 
choose v in Data 

InputDatum := v 
endchoose 

InSendBit := 1 - InSendBit 
endif 



Module OutputEnvironment 

if OutScndBit ^ OutReceiveBit then 

OutReceivcBit := 1 - OutReceiveBit 
endif 



Module BuffFrontEnd 
Rule Front Wait 

if Mode(Me) = Wait and p- g ± N then Mode(Me) := Ready endif 

Rule FrontCommunicate 

if Modc(Mc) = Ready and InSendBit ^ InRcccivcBit then 

Buffer (p mod N) := InputDatum 

Mode(Me) := Work 

InRcccivcBit := 1 - InRcccivcBit 
endif 

Rule Front Work 

if Mode(Me) = Work then p := p + 1, Mode(Me) := Wait endif 



Module BuffBackEnd 
Rule BackWait 

if Mode(Me) = Wait and p - g ^ then Mode(Me) := Ready endif 

Rule BackCommunicate 

if Mode(Me) = Ready and OutSendBit = OutReceiveBit then 

OutputDatum := Buffer (g mod N) 

Mode(Me) := Work 

OutScndBit := 1 - OutSendBit 
endif 

Rule BackWork 

if Mode(Me) = Work then g := g + 1, Mode(Me) := Wait endif 



Figure 8: The program for R2. 
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3.3 1Z ca : The Official Row Evolving Algebra 

After establishing that p — g ^ N and before executing the FrontCommunicate rule, buffer's front end 
goes to mode Ready. This corresponds to nothing in 7?.p C sp which calls for merging the FrontWait and 
FrontCommunicate rules. On the other hand, lZ pcS p augments p after performing an act of communication. 
There is no logical necessity to delay the augmentation of p. For aesthetic reasons we merge the Front Work 
rule with the other two rules of BuffFrontEnd. Then we do a similar parallelization for BuffBackEnd. Finally 
we simplify the names BuffFrontEnd and BuffBackEnd to FrontEnd and BackEnd respectively. 

A certain disaccord still remains because the environment is implicit in lZ pcsp . To remedy this, we remove 
the environment modules, asserting that the functions InputDatum, InSendBit, and OutReceiveBit which 
were updated by the environment modules are now external functions. The result is our official ealgebra 
7?. ca , shown in Figure ^. 



Module FrontEnd 

if p — g ^ N and InSendBit ^ InRcccivcBit then 
Buffer (p mod N) :— InputDatum 
InReceiveBit := 1 - InReceivcBit 
p := p + 1 

endif 



Module BackEnd 

if p — g ^ and OutSendBit = OutReceiveBit then 
OutputDatum := Buffer(g mod N) 
OutSendBit := 1 - OutSendBit 

9 :=9 + l 
endif 



Figure 9: The program for lZ ea . 

The initial states of lZ ca satisfy the first condition on the initial states of Rl: The universe Integers 
and the arithmetical function names mentioned in the program have their usual meanings; the universe Zn 
consists of integers modulo N identified with the integers 0, . . . , N — 1; the universe Z 2 is similar; p = g = 0; 
Buffer is of type Zjq — > Data; InputDatum and OutputDatum take values in Data. 

Additionally, the universe Agents contains two elements to which Mod assigns different module names. 
InSendBit, InReceiveBit, OutSendBit, and OutReceiveBit are all equal to 0. InputDatum and OutputDatum 
take values in Data. 

The definition of regular runs of lZ ca is slightly more complicated, due to the presence of the external 
functions InputDatum, InSendBit, and OutReceiveBit. We require that the output sequence is at least as 
long as the input sequence, InputDatum is of type Data, and InSendBit and OutReceiveBit are both of type 
Z 2 - 

We skip the proof that lZ cei is faithful to R2. 
3.4 C ca : The Official Column Evolving Algebra 



The evolving algebra C ea is shown in figure 10 below. It can be obtained from C pcS p in the same way that 



7Z ca can be obtained from 7?.p Csp ; for brevity, we omit the intermediate stages. 
Initial states The initial states of C ca satisfy the following conditions. 
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Module Slot 
Rule Get 

if Mode(Me)=Gct and Input Turn(Me) 

and InSendBit ^ InRcceiveBit then 

Buffer (Me) := InputDatum 

InReceiveBit := 1 - InReceivcBit 

pp(Me) := 1 - pp(Me) 

Mode(Me) := Put 
endif 

Rule Put 

if Mode(Me)=Put and Output Turn (Me) 

and OutScndBit = OutReccivcBit then 

OutputDatum := Buffer(Me) 

OutSendBit := 1 - OutSendBit 

gg{Me) := 1 - gg(Me) 

Mode(Me) := Get 
endif 

Input Turn (x) abbreviates 

[x = and pp(0) = pp(N — 1)] or [x ^ and pp{x) ^ pp(x — 1)] 
Output Turn(x) abbreviates 

[x = and gg(0) = gg(N - 1)] or [x ^ and gg(x) ^ gg(x - 1)] 



Figure 10: The program for C ( 
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1. The first condition for the initial states of Rl is satisfied except we don't have functions p and g now. 
Instead we have dynamic functions pp and gg with domain Zn and pp(i) = gg{i) = for all i in Z^. 

2. The universe Agents consists of the elements of Zjy, which are mapped by Mod to the module name 
Slot. Nullary functions Get and Put are distinct elements of the universe Modes. The dynamic function 
Mode is defined over Agents; Mode(x)=Get for every x in Zjj. InputDatum and OutputDatum are 
elements of Data. Nullary functions InScndBit, InReceiveBit, OutScndBit, OutRcccivcBit are all equal 
to 0. 

Regular runs are defined similarly to lZ ca ; we require that the output sequence is at least as long as the 
input sequence, InputDatum is of type Data, and InScndBit and OutReceiveBit take values in Z 2 . 

4 Equivalence 

We define a strong version of lock-step equivalence for ealgebras which for brevity we call lock-step equivalence. 
We then prove that lZ ea and C ea are lock-step equivalent. We start with an even stronger version of lock-step 
equivalence which we call strict lock-step equivalence. 

For simplicity, we restrict attention to ealgebras with a fixed superuniverse. In other words, we suppose 
that all initial states have the same superuniverse. This assumption does not reduce generality because the 
superuniverse can be always chosen to be sufficiently large. 

4.1 Strict Lock-Step Equivalence 

Let A and B be ealgebras with the same superuniverse and suppose that h is a one-to-one mapping from 
the states of A onto the states of B such that if h(a) = b then a and b have identical interpretations of the 
function names common to A and B. Call a run (M, A, a) of A strictly h-similar to a partially ordered run 
(N,B,t) of B if there is an isomorphism 77 : M — > N such that for every finite initial segment X of M, 
h(a(X)) = t(Y), where Y = {rj{jJL) : ji € X}. Call A and B strictly h-similar if every run of A is strictly 
/i-similar to a run of B, and every run of B is ft -similar to a run of A. Finally call A and B strictly lock-step 
equivalent if there exists an ft such that they are strictly ft-similar. 

Ideally we would like to prove that 1Z C& and C ea are strictly lock-step equivalent. Unfortunately this is 
false, which is especially easy to see if the universe Data is finite. In this case, any run of C ea has only finitely 
many different states; this is not true for 1Z ea because p and g may take arbitrarily large integer values. One 
can rewrite either lZ ea or C ea to make them strictly lock-step equivalent. For example, C ca can be modified 
to perform math on pp and gg over Integers instead of Z 2 . We will not change either ealgebra; instead we 
will slightly weaken the notion of strict lock-step equivalence. 

4.2 Lock-Step Equivalence 

If an agent a of an ealgebra A is enabled at a state a, let Result(a, a) be the result of firing a at a; otherwise 
let Result (a, a) = a. 

Say that an equivalence relation = on the states of A respects a function name / of A if / has the 
same interpretation in equivalent states. The equivalence classes of a will be denoted [a] and called the 
configuration of a. Call = a congruence if a\ = a 2 — > Result (a, 01) = Result(a, a 2 ) for any states 01, a 2 and 
any agent a. 

Let A and B be ealgebras with the same superuniverse and congruences =^ and =b respectively. (We 
will drop the subscripts on = when no confusion arises.) We suppose that either congruence respects the 
function names common to A and B. Further, let h be a one-to-one mapping of ^^-configurations onto 
=B-configurations such that, for every function name / common to A and £>, if = [b], then f a = 

Call a partially ordered run (M, A, a) of A h-similar to a partially ordered run (N, B, r) of B if there is 
an isomorphism 77 : M — *• N such that, for every finite initial segment X of M, h([a(X)]) = [t(Y)], where 



18 



Y = {r/(fi) : (i G X}. Call A and B h-similar if every run of A is /i-similar to a run of £>, and every run of B 
is /i _1 -similar to a run of A. Call .A and B lock-step equivalent (with respect to =a and =b) if there exists 
an h such that A and i3 are /i-similar. 

Note that strict lock-step equivalence is a special case of lock-step equivalence, where =.4 and =g are 
both the identity relation. 

Assuming that 7Z ca and C ea have the same superuniverse, we will show that lZ ca is lock-step equivalent 
to C oa with respect to the congruences defined below. 

Remark. The assumption that lZ ca and C ea have the same superuniverse means essentially that the 
superuniverse of C oa contains all integers even though most of them are not needed. It is possible to remove 
the assumption. This leads to slight modifications in the proof. One cannot require that a common function 
name / has literally the same interpretation in a state of lZ ea and a state of C ca . Instead require that the 
interpretations are essentially the same. For example, if / is a predicate, require that the set of tuples where 
/ is true is the same. 

Definition 1 For states c, d of C ca , c = d if c = d. 

Since each configuration of C ca has only one element, we identify a state of C ea with its configuration. 
Let e a denote the value of an expression e at a state a. 

Definition 2 For states a, b oflZ ea , a = b if: 

• 9a = 9b mod 2N 

• (p - g)a = (p - g)b 

• fa = fb for all other function names f . 
Let div represent integer division: idivj = 

Lemma 6 If a =n b then we have the following modulo 2: 

• p a div N = pb div iV 

• g a div N — gi, div N 

Proof. We prove the desired property for p; the proof for g is similar. 

By the definition of =iz, w e have the following modulo 2iV: p a = g a + (p — g) a = g + (p — g) = pt,. 
Thus, there are non- negative integers x\, X2,%3,y such that p a = 2Nx\ + Nx2 + £3, Pb — 2Ny + Nx2 + £3, 
X2 < 1, and X3 < N. Hence p a div N = 2x\ + X2 and pbdiv N = 2y + X2, which are equal modulo 2. □ 

We define a mapping h from configurations of lZ ca onto configurations of C ca . 
Definition 3 If a is a state ofTZ ca , then h([a]) is the state c of C ca such that 



pp{i)c 

gg(i)c 



p a div N mod 2 if i > p a mod N 

1 — {p a div N) mod 2 otherwise 

g a div N mod 2 if ' i > g a mod N 

1 — (g a div N) mod 2 otherwise 



and for all common function names f , f c = f a . 

Thus, h relates the counters p, g used in lZ ca and the counters pp, gg used in C ca . (Notice that by Lemma 
^, h is well-defined.) We have not said anything about Mode because Mode is uniquely defined by the rest 
of the state (see Lemma 12 in section 4.3) and is redundant. 

We now prove that TZ ea and C ea are ft-similar. 
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4.3 Properties of 7l ca 

We say that a is a state of a run [M, A, a) if a = u(X) for some finite initial segment X of M. 

Lemma 7 For any state b of any run of lZ oa , < (p — g)b < N. 

Proof. By induction. Initially, p = g = 0. 

Let (M, A, a) be a run of 1Z C &- Let X be a finite initial segment of M with maximal element /x, such that 
< P - 5 < AT holds in a = a(X - {//}). Let 6 = cr(X). 

• If is the front end agent and is enabled in a, then < (p — g) a < N. The front end agent 
increments p but does not alter <?; thus, < (p — g)b < N . 

• If A(fi) is the back end agent and is enabled in a, then < (p — <?) a < N . The back end agent 
increments g but does not alter p; thus, < (p — g)b < N. □ 

Lemma 8 Fia; a non-negative integer k < N. For any run (M,A,a) of lZ ca _, the k-slot moves of M (that 
is, the moves of M which involve Buffer (k ) ) are linearly ordered. 

Proof. Similar to Lemma |3[ □ 

4.4 Properties of C ea 

Lemma 9 For any run of C ca , there is a mapping In from states of C ca to Zn such that if In(c) — k, then: 

• InputTurn(Me) is true for agent k and for no other agent. 

• For all i < k, pp(i) c = 1 — PP(k)c- 

• For all k < i < N , pp{i) c — pp(k) c . 

Proof. By induction. Initially, agent (and no other) satisfies InputTurn(Me) and pp{i) = holds for every 
agent i. Thus, if c is an initial state, In(c) = 0. 

Let (M, A, a) be a run of C ca - Let Y be a finite initial segment of M with maximal element /i, such that 
the requirements hold in c = a{Y — {/i}). Let d = u{Y). 

If A(n) executes rule Put, pp is not modified and In{d) = In{c). Otherwise, if rule Get is enabled for A(fi), 
executing rule Get increments pp; the desired In(d) = In(c) + 1 mod N. This is obvious if In(c) < N — 1. 
If In(c) = N — 1, then all values of pp are equal in d and In(d) = satisfies the requirements. □ 

Lemma 10 For any run of C C3 ,, there is a mapping Out from states of C ea to Zn such that if Out (c) = k, 
then: 

• OutputTurn(Me) is true for agent k and no other agent. 

• For all i < k, gg(i) c = 1 — 99{k) c . 

• For all k < i < N, gg{i) c = 99{k) c - 

Proof. Parallel to that of the last lemma. □ 

It is easy to see that every move /i of C oa involves an execution of rule Get or rule Put but not both. 
(More precisely, consider finite initial segments Y of moves where fi is a maximal element of Y. Any such Y 
is obtained from Y — {/i} either by executing Get in state a(Y — {/i}), or executing Put in state a(Y — {/J,}).) 
In the first case, call /x a Get move. In the second case, call /i a Put move. 

Lemma 11 In any run (M,A,a) of C ca , all Get moves are linearly ordered and all Put moves are linearly 
ordered. 
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Proof. We prove the claim for rule Get; the proof for rule Put is similar. By contradiction, suppose that 
are two incomparable Get moves fj, and v. By the coherence condition for runs, both rules are enabled in 
state X — {n : n < /iV7r< v}. By Lemma ||, A(fi) = A(v). But all moves of the same agent are ordered; 
this gives the desired contradiction. □ 



Lemma 12 In any state d of any run o/C ca , for any agent k, 

Mode{k) d -- 



Get if pp(k) d = gg(k) d 
Put ifpp(k) d = 1 - gg{k) d 

Proof. We fix a k and do induction over runs. Initially, Mode(k) — Get and pp(k) = gg{k) = for every 
agent k. 

Let Y be a finite initial segment of a run with maximal element /i such that (by the induction hypothesis) 
the required condition holds in c = er(Y — {/J,})- Let d = cr(Y). 

If A([x) ^ k, none of Mode(k), pp{k), and gg{k) are affected by executing A(ji) in c, so the condition 
holds in d. If A(fi) — k, we have two cases. 

• If agent k executes rule Get in state c, we must have Mode(k) c — Get (from rule Get) and pp(k) c — 
gg(k) c (by the induction hypothesis). Firing rule Get yields Mode(k)d — Put and pp(k)d — l—pp(k) c = 

1 - gg(k)d- 

• If agent k executes rule Put in state c, we must have Mode(k) c = Put (from rule Put) and pp(k) c 

1 — gg(k) c (by the induction hypothesis). Firing rule Get yields Mode(k)d = Get and gg{k)d = 

1 - gg( k ) c = pp(k)d- D 

Remark. This lemma shows that function Mode is indeed redundant. 
4.5 Proof of Equivalence 

Lemma 13 If h([a]) — c, then In(c) = p a mod N and Out(c) = g a mod N. 

Proof. Recall that In(c) is the agent k for which InputTurn(k) c holds. Lemma || asserts that pp(i) c has one 
value for i < k and another for i > k. By the definition of h, this "switch-point" in pp occurs at p a mod TV. 
The proof for Out(c) is similar. □ 

Lemma 14 Module FrontEnd is enabled in state a of 1Z C& iff rule Get is enabled in state c = h([a\) of C c& 
for agent In(c). 

Proof. Let k = In(c), so that InputTurn(k) c holds. Both FrontEnd and Get have InSendBit ^ InReceiveBit 



in their guards. It thus suffices to show that (p — g) a ^ N iff Mode(k) c — Get. By Lemma 12, it suffices to 
show that (p — g) a ^ N iff pp(k) c — gg{k) c . 

Suppose (p — g) ^ N. There exist non-negative integers &i, x%, X3, X4 such that p a = x\N + xs, g a = 
X2N + X4, and 23, X4 < N . (Note that by Lemma k = p a mod N = X3.) 

By Lemma 0, < (p — g) a < N. There are two cases. 

• xi — X2 and X3 > x±. By definition of h, we have that, modulo 2, pp(xs) c — p a dvvN = x% and 
for all i > g a mod JV = 24, gg{i) c — <?adiviV = x%. Since 23 > x±, we have that, modulo 2, 
gg{xs)c = x 2 =xi= pp(x 3 ) c , as desired. 

• xi = (x2 + 1) and xz < 24. By definition of h, we have that, modulo 2, pp{x3) c = p a div N = x\ and 
for all i < g a mod N — x<±, gg(i) c = 1 - ga div N = 22 + 1. Since 23 < 24, we have that, modulo 2, 
gg{xz)c = x 2 + 1 = 21 = pp(x 3 ) c , as desired. 

On the other hand, suppose (p — g) a — N . Then p a diviV and g a div N differ by 1. By definition of h, 
PP(i)c = 1 — gg{i)c for all i, including k. □ 
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Lemma 15 Module BackEnd is enabled in state a iff rule Put is enabled in state c = h([a]) for agent Out{c). 



Proof. Similar to that of the last lemma. □ 

Lemma 16 Suppose that module FrontEnd is enabled in a state a of lZ ca for the front end agent I and rule 
Get is enabled in a state c = h([a]) of C ea for agent In(c). Let b = Result(I,a) and d = Result(In(c),c). 
Then d = h([b}). 

Proof. We check that h([b]) = d. 

• Both agents execute InReceiveBit := 1 - InReceiveBit. 

• The front end agent executes Buffer (p mod N) := InputDatum. Agent In(c) executes Buffer (In(c)) := 
InputDatum. By Lemma |l3|, In(c) — p a mod N, so these updates are identical. 

• The front end agent executes p := p + 1. Agent In{c) executes pp(In(c)) := 1 — pp(In(c)). The 
definition of h and the fact that pp(i) c — PP{i)h([a\) for all i £ Z?q imply that pp(i)d = pp{i)h([b])- 

• Agent In(c) executes Mode(In(c)) :— Put. By Lemma [l2], this update is redundant and need not have 
a corresponding update by the front end agent. □ 



Lemma 17 Suppose that module BackEnd is enabled in a state a oflZ cai for the back end agent O and rule 
Put is enabled in a state c = h([a\) of C ea for agent Out(c). Let b = Result(0,a) and d = Result(Out(c),c). 
Then d ~ h([c\). 

Proof. Parallel to that of the last theorem. □ 
Theorem 2 TZ ea is lock-step equivalent to C ea . 

Proof. Let A(/i) = A TC (/x) and A'(/i) = A c (/i). 

We begin by showing that any run (Af, A, a) of 1Z ea is /i-similar to a run of C ca , using the definition of h 
given earlier. Construct a run (M, A', a') of C ca , where o-'(X) = h([a(X)]) and A' is defined as follows. Let 
fi be a move of M, a — A(/i), and c = h([A(fi)]). Then A'(fi) — Ln(c) if A(/j,) is the front end agent, and 
A'(ii) = Out(c) if A(fi) is the back end agent. 

We check that (M, A' , a') satisfies the four requirements for a run of C oa stated in Section 2.6. 

1. Trivial, since (M, A, a) is a run. 

2. By Lemma |[ it suffices to show that for any /i, if A'(/jl) = k, then A(/j,) is a /c-slot move. By the 
construction above and Lemma [l^, we have modulo N that k = Ln(c) = p a if A(^i) is the front end 
agent and k — Out(c) — g a if A([i) is the back end agent. In either case, /i is a fc-slot move. 

3. Since a' = h o cr, a' maps finite initial segments of M to states of C ca . 

4. Coherence. Let Y be a finite initial segment of M with a maximal element fi, and X = Y — {/i}. 
Thus Result(A(n),a(X)) = a(Y). By Lemma p^|or [i~5| A'(/x) is enabled in a'(X). By Lemma |l6| or |l7|, 
Result(A'(n),a'{X)) = a'(Y). 

Continuing, we must also show that for any run (M, A' ,o~') of C oa , there is a run (M, A, a) of 7?. ea which 
is /i-similar to it. 

We define A as follows. Consider the action of agent A'([i) at state A'(/i). If A'(fi) executes rule Get, set 
A(n) to be the front end agent. If A'(ii) executes rule Put, set A(fi) to be the back end agent. 

We check that the moves of the front end agent are linearly ordered. By Lemma O, it suffices to show 
that if A(pi) is the front end agent, then A 1 (ji) executes Get in state A'(/i) — which is true by construction 
of A. A similar argument shows that the moves of the back end agent are linearly ordered. 
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We define a inductively over finite initial segments of M. <j(0) is the unique initial state in h~ 1 (a'($)). 

Let Y be a finite initial segment with a maximal element /i such that a is defined at X = Y — {/i}. 
Choose (j(Y) from h~ 1 (cr'(Y)) such that cr{Y)~ = Result(A(/j,) , o~(X)) . Is it possible to select such a o~(Y)l 
Yes. By Lemma [l4| or [l5], A(fi) is enabled in a(X) iff A'(n) is enabled in cr'(X). By Lemma |l6| or [I?], 
Result (A(fi), a (X)) £ h (Result (A' (^i),a'(fx))). It is easy to check that (M,A,a) is a run of lZ CBu which is 
/i-similar to (M, A', er')- D 

5 Inequivalence 

We have proven that our formalizations TZ ca and C ca of TZ vcap and C pcsp are lock-step equivalent. Nevertheless, 
TZ-pcsp and C pcS p are inequivalent in various other ways. In the following discussion we exhibit some of 
these inequivalences. The discussion is informal, but it is not difficult to prove these inequivalences using 
appropriate formalizations of 7?.p C sp and C pcS p. Let 7Z = TZ pcS p and C = C pcS p. 

Magnitude of Values. 1Z uses unrestricted integers as its counters; in contrast, C uses only single bits 
for the same purpose. We have already used this phenomenon to show that 7Z cii and C ea are not strictly 
lock-step equivalent. One can put the same argument in a more practical way. Imagine that the universe 
Data is finite and small, and that a computer with limited memory is used to execute 1Z and C. TZ's counters 
may eventually exceed the memory capacity of the computer. C would have no such problem. 

Types of Sharing. 1Z shares access to the buffer between both processes; in contrast, each process in C 
has exclusive access to its portion of the buffer. Conversely, processes in C share access to both the input 
and output channels, while each process in 1Z has exclusive access to one channel. Imagine an architecture 
in which processes pay in one way or another for acquiring a channel. C would be more expensive to use on 
such a system. 

Degree of Sharing. How many internal locations used by each algorithm must be shared between pro- 
cesses? 1Z shares access to N + 2 locations: the N locations of the buffer and 2 counter variables. C shares 
access to 2N locations: the 2N counter variables. Sharing locations may not be without cost; some provision 
must be made for handling conflicts (e.g. read/write conflicts) at a given location. Imagine that a user must 
pay for each shared location (but not for private variables, regardless of size). In such a scenario, C would 
be more expensive than 1Z to run. 

These contrasts can be made a little more dramatic. For example, one could construct another version 
of the ring buffer algorithm which uses 2N processes, each of which is responsible for an input or output 
action (but not both) to a particular buffer position. All of the locations it uses will be shared. It is 
lock-step equivalent to 1Z and C; yet, few people would choose to use this version because it exacerbates 
the disadvantages of C. Alternatively, one could write a single processor (sequential) algorithm which is 
equivalent in a different sense to 1Z and C; it would produce the same output as 1Z and C when given the 
same input but would have the disadvantage of not allowing all orderings of actions possible for 1Z and C. 
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